Warning on Spoofed Login Windows in Firefox

A new phishing flaw emerges as security researcher alleges risk and Mozilla investigates.

A common feature on many Web sites is a pop-up dialog box where users enter their username and password. Before you enter your information in Firefox next time, you might want to think twice. Security researcher Aviv Raff is alleging that in the latest Firefox 2.0.0.11 release the pop-up dialog box for password entry can be spoofed in a phishing attack.

"Mozilla Firefox allows spoofing the information presented in the basic authentication dialog box, Raff wrote in an advisory. "This can allow an attacker to conduct phishing attacks, by tricking the user to believe that the authentication dialog box is from a trusted Web site."

Raff explained that the vulnerability exists because Firefox doesn't 'sanitize' all the characters in the authentication box for the realm value that defines where the authentication is from. As such it is possible for an attacker to maliciously craft a Realm value that looks as though the password dialog box comes from a trusted site such as a financial institution.

"When the victim clicks on the link, the trusted Web page will be opened in a new window, and a script will be executed to redirect the new opened window to the attacker's Web server, which will then return the specially crafted basic authentication response," Raff wrote. In addition to the advisory Raff has posted a video on YouTube showing how the vulnerability can be exploited.

Mozilla Chief Security Officer Window Snyder in an e-mail sent to InternetNews.com said that Mozilla is investigating the issue. Snyder also noted that Raff did not first properly inform Mozilla of the security issue.

"Aviv Raff first posted this information in a public forum," Snyder commented. "At Mozilla, we prefer that security researchers notify us of potential issues by either filing a security sensitive bug in https://bugzilla.mozilla.org or e-mailing security@mozilla.com. It helps us keep users safe when security researches notify us before making details publicly available, but we appreciate all contributions."

Raff was not immediately available for comment.

As a workaround Raff noted in his advisory to avoid providing usernames and passwords to Web sites that use the basic pop-up dialog box authentication method.

Mozilla has had its share of issues with password related phishing and cross site scripting vulnerabilities. The Firefox Password Manager was first revealed to have security issues in November of 2006. Mozilla has since fixed some of the issues with Password Manager though it is still a cause for concern with some security researchers. In fact, a key part of the upcoming Firefox 3 release is a rewritten Password Manager.

"Firefox 3 has improved security UI to minimize the opportunities an attacker has to lure a user into entering information where they shouldn't," Snyder said.

The Firefox 3 final release is expected later this year. As Mozilla is currently investigating Raff's allegations, it is not yet clear when a security update may be available for Firefox 2.0.0.11.